tentatively merged into cifs-2.6.git for-next (and to the github tree
for next buildbot run)
On Tue, Jun 4, 2019 at 7:15 PM Ronnie Sahlberg <lsahlber@xxxxxxxxxx> wrote:
>
> RH Bugzilla: 1702264
>
> We need to protect so that the call to smb2_reconnect() in
> smb2_reconnect_server() does not end up freeing the session
> because it can lead to a use after free and crash.
>
> Reviewed-by: Aurelien Aptel <aaptel@xxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Ronnie Sahlberg <lsahlber@xxxxxxxxxx>
> ---
> fs/cifs/smb2pdu.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 565b60b62f4d..ab8dc73d2282 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -3113,9 +3113,14 @@ void smb2_reconnect_server(struct work_struct *work)
> tcon_exist = true;
> }
> }
> + /*
> + * IPC has the same lifetime as its session and uses its
> + * refcount.
> + */
> if (ses->tcon_ipc && ses->tcon_ipc->need_reconnect) {
> list_add_tail(&ses->tcon_ipc->rlist, &tmp_list);
> tcon_exist = true;
> + ses->ses_count++;
> }
> }
> /*
> @@ -3134,7 +3139,10 @@ void smb2_reconnect_server(struct work_struct *work)
> else
> resched = true;
> list_del_init(&tcon->rlist);
> - cifs_put_tcon(tcon);
> + if (tcon->ipc)
> + cifs_put_smb_ses(tcon->ses);
> + else
> + cifs_put_tcon(tcon);
> }
>
> cifs_dbg(FYI, "Reconnecting tcons finished\n");
> --
> 2.13.6
>
--
Thanks,
Steve
